Ipsec RSA with XAuth authentication

This article describes a configuration of a roadwarrior scenario, where a d-200 phone connects to a COMmander 6000 via a strongswan VPN Server.

The Strongswan configuration is based on the following document. In our example, the d-200 is located in the 192.168.1.0/24 subnet. The pbx is located in the 192.168.21.0/24 subnet. The Strongswan server uses the ip 192.168.1.239

The Strongswan server uses a certificate chain, that was created using the ipsec pki tool. It is helpful to used the –outform pem. This allows the user to use the certificates directly for the phone configuration.

Also make sure all plugins needed are installed and were loaded, some StrongSwan installations (e.g. raspian's package) need additional packages like `libstrongswan-extra-plugins` or `libcharon-extra-plugins` to be installed before supporting things like Xauth.

ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
 
# basic configuration
 
config setup
 
conn rw
    keyexchange=ikev1
    left=192.168.1.239
    leftcert=server.pem
    leftid="C=DE, O=myVPN, CN=192.168.1.239"
    leftsendcert=always
    leftauth=pubkey
    leftsubnet=192.168.21.0/24
    leftfirewall=yes
    right=%any
    rightauth=pubkey
    rightauth2=xauth
    rightsourceip = 192.168.1.0/24
    rightsendcert=ifasked
    auto=add
    ike="aes256-sha384-modp1024"
/etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.
 
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
 
 : RSA server.pem
 
theUserName  : XAUTH "secretXauthPassword" 

Troubleshooting: be sure that the server has ip forward enabled. If a NAT is used, the Phone will require a STUN Server to correctly setup a RTP Connection.

configurationXauthRSA.xml
<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <network>
    <vpn>
      <active>true</active>
      <vpnType>IpsecXauthRSA</vpnType>
      <name>xauthRSA</name>
      <server>192.168.1.239</server>
      <username>theUserName</username>
      <password>secretXauthPassword</password>
      <routes>192.168.21.0/24</routes>
      <dnsServers>192.168.21.44</dnsServers>
      <searchDomains></searchDomains>
      <ipsecUserCert>-----BEGIN CERTIFICATE-----
MIIECDCCAfCgAwIBAgIIV2e5OjpmO/cwDQYJKoZIhvcNAQEMBQAwLzELMAkGA1UE
...
KzTACM76B9Lp696U1+0ZkigfvTYd90jP8gZ21H2ovG3WnP67mvLDxog5O8VCwdqv
Tdbtd2oADuEWtgU0mhbcV4xDIU/3Z5umyG4djw==
-----END CERTIFICATE-----</ipsecUserCert>
      <ipsecUserPrivateKey>-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAuIsnvr78JsLcvOO1/TpR9/i0MxA8qibab+zl5lg2QnNRhvu1
...
28kvUT6mS9wRPQv8aHS15sVo0S8F1rhcV5omexTJHnr/1IGTsKYs/eoWD/aOk2Tu
/5sVRDmI3/ZCCDh8P7Ze/Wl7swg0TcMVz7fRwJiGydaNx7EFgeQ=
-----END RSA PRIVATE KEY-----</ipsecUserPrivateKey>
         <ipsecCaCert>
-----BEGIN CERTIFICATE-----
MIIFVDCCAzygAwIBAgIIathgW2F9FK0wDQYJKoZIhvcNAQEMBQAwSDELMAkGA1UE
[...]
eVFk0ppvntZWPWyi9bkyMFsvPcnKLReA
-----END CERTIFICATE-----
         </ipsecCaCert>
         <ipsecServerCert>
-----BEGIN CERTIFICATE-----
MIIEVjCCAj6gAwIBAgIIbv82bUNvoQ8wDQYJKoZIhvcNAQEMBQAwSDELMAkGA1UE
[...]
tCQX/JZ7e9AAdw==
-----END CERTIFICATE-----
         </ipsecServerCert>
    </vpn>
  </network>
    <identities>
      <identity>
        <active>true</active>
        <displayname>COMmander 6000</displayname> 
        <username>70</username>
        <host>192.168.21.100</host>
        <password>AccountPassword</password>
        <frameSize>20</frameSize>
        <audiocodecs>
          <audiocodec>G.722</audiocodec>
          <audiocodec>G.711</audiocodec>
        </audiocodecs>
        <clir>displayAnonymous</clir>
        <localmoh>false</localmoh>
        <secureConnection>false</secureConnection>
        <srtp>disabled</srtp>
        <ipVersion>IpV4</ipVersion>
        <checkHostname>true</checkHostname>
        <pickupCode>##06</pickupCode>
        <interfaceType>vpn</interfaceType>
     </identity>
     <identity>
       <active>false</active>
     </identity>
     <identity>
       <active>false</active>
     </identity>
     <identity>
       <active>false</active>
     </identity>
     <identity>
       <active>false</active>
     </identity>
     <identity>
       <active>false</active>
     </identity>
   </identities>
</configuration>

The identity specifies the networkType vpn and the registration is performed after the tunnel has been connected.